BKINTDET.RVW 990423 "Intrusion Detection", Edward G. Amoroso, 1999, 0-9666700-7-8, U$49.95 %A Edward G. Amoroso eamoroso@mail.att.net %C P. O. Box 78, Sparta, NJ 07871 %D 1999 %G 0-9666700-7-8 %I Intrusion.Net Books %O U$49.95 973-448-1866 fax: 973-448-1868 order@intrusion.net %O http://www.amazon.com/exec/obidos/ASIN/0966670078/robsladesinterne %P 218 p. %T "Intrusion Detection" This is not (very much not) to be confused with the identically named, and almost equally recent, book by Escamilla (cf. BKINTRDT.RVW). Where Escamilla's is basically a large brochure for various commercial systems, Amoroso has specifically chosen to avoid products, concentrating on concepts, and not a few technical details. The text is based on material for an advanced course in intrusion detection, but is intended for administrators and system designers with a security job to do. Chapter one, after demonstrating that the term means different things to different people, gives us an excellent, practical, real world definition of intrusion detection. This is used as the basis for an examination of essential components and issues to be dealt with as the book proceeds. Five different processes for detecting intrusions are discussed in chapter two. Each method spawns a number of "case studies," which, for Amoroso, means looking at how specific tools can be used. (This style is far more useful than the normal business case studies that are long on who did what and very short on how.) Intrusion detection architecture is reviewed in chapter three, enlarging the conceptual model to produce an overall system. Chapter four defines intrusions in a way that may seem strange, until you realize that it is a very functional description for building detection rules. The problem of determining identity on a TCP/IP internetwork is discussed in chapter five, but while the topic is relevant to intrusion detection, few answers are presented. Correlating events is examined in chapter six. Chapter seven looks at setting traps, primarily from and information gathering perspective. The book ends with a look at response in chapter eight. The bibliography is, for once, annotated. While I do not always agree with Amoroso's assessments; I think he tends to give the benefit of the doubt to some who primarily deliver sensation; the materials are generally high quality resources from the field. Books and online texts are included, although the emphasis is on journal articles and conference papers. The content is readable and, although it seems odd to use the word in relation to a security work, even fun. I suppose, though, that I must point out that your humble "worst copy editor in the entire world" reviewer found a significant number of typographic errors. (And some that can't be put down to typos: I think you'll find that it's "berferd" rather than "berford.") This book works on a great many levels. It provides an overall framework for thinking about security. It thoroughly explains the concepts behind intrusion detection. And it gives you some very practical and useful advice for system protection for a variety of operating systems and using a number of tools. I can recommend this to anyone interested in security, with the only proviso being that you are going to get the most out of it if you are, indeed, responsible for designing network protection. copyright Robert M. Slade, 1999 BKINTDET.RVW 990423